There are many questions surrounding the WanaCry ransomware attack that started on May 11, 2017. In order to provide some quick answers to common questions and dispel some misconceptions, we are providing this list of frequently asked questions. We will keep this updated as new details emerge. For a more in-depth look at WanaCry, refer to our blog – WanaCry Observations: Big Worm = Big Problems.

[Last updated 12:18pm ET, May 16, 2017]

Is there a new variant in the wild?

Researchers have found many similar malware samples that have surfaced but many of these have turned out to be simply edited versions of the WanaCry malware from the May 11th weekend. So far none of the new samples that have been discovered have been as effective as the version making the news and some don’t even appear to work properly.

Did the WanaCry infections start via a phishing campaign?

There are theories that WanaCry was originally started through phishing emails but so far there has not been any evidence to support this theory. Currently, it is unknown exactly how the WanaCry infections began.

How does WanaCry spread?

WanaCry spreads primarily over SMB by taking advantage of a Microsoft vulnerability associated with the ETERNALBLUE NSA exploit released by the Shadow Brokers. Microsoft released a patch for this vulnerability for supported versions of Windows in March 2017 and even released a patch for Windows XP and Windows 2003 on Friday, May 12, 2017. WanaCry will attempt to spread to spread over the internal network and attempt to connect to random hosts on the Internet via SMB over ports TCP 139 and TCP 445.

What is the “killswitch” domain mentioned in conjunction with WanaCry?

WanaCry attempts to connect to a specific domain when it starts up and if it can connect to this domain, it terminates. This may be functionality to prevent analysis in sandboxes or other malware research environments which are often configured to return responses for any domain requests. Killswitch domains known to be associated with WanaCry have been registered and are hosted by researchers.

Does access to the killswitch domain mean WanaCry won’t work?

If the WanaCry malware is able to reach its associated killswitch domain, it will terminate instead of encrypting files.

What if access to the killswitch domain is blocked?

If access to the WanaCry killswitch domain is blocked by a security tool or due to network configuration, the infections inside the organization will succeed since it receives no reply from the killswitch domain. The fix for this is to whitelist the domain so connections can succeed or setup an internal DNS record for the killswitch domain and point it to an internal host.

What if a proxy is required at my organization to get to the Internet?

WanaCry does not have proxy support so if a proxy is required to reach the Internet, communication to the killswitch domain (as well as infection attempts to Internet hosts) will fail. In these situations, an administrator can create a DNS record for the killswitch domain and point it to an internal host to facilitate the killswitch functionality in WanaCry.

What are all the bitcoin addresses being used for payment?

So far the following bitcoin addresses have been associated with WanaCry:

250 payments have been made totaling over $66,000 to these bitcoin wallets

How can attacks like this be prevented?

The ability of malware to spread quickly through networks on its own is often facilitated by an unpatched vulnerability. That is the case with WanaCry. Patching critical vulnerabilities that can lead to remote code execution (RCE) in a timely manner will help to avoid exposure to malware that takes advantage of these vulnerabilities to spread. For WanaCry specifically, refer to the Microsoft bulletin, MS17-010 for relevant patch information.

Preventing access from the Internet directly to computer systems is another key mitigation that would help mitigate WanaCry infections. Systems exposed directly to the Internet make them candidates for infections like WanaCry. In this case, allowing SMB connections over port TCP 445 from hosts on the Internet helps WanaCry spread.

For internal networks, splitting hosts into separate segments such that communications aren’t wide open between the segments can help prevent the rapid spread of malware infections internally. This can be done through Access Control Lists (ACLs) on routers, firewall filtering, or even physical separation between networks. Having an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) between segments of internal hosts can help provide protection and visibility as well.

Updated antivirus software on every host can help against these kinds of infections too. While AV may miss initial detections when the malware is new, applying updated signatures as they become available can help protect against the malware as time goes on.

Is anything known about who created/deployed WanaCry?

Officially there is not a specific actor or group that has been accused of creating or launching the WanaCry malware. There is currently speculation that North Korea may be behind it but the evidence is so far circumstantial.

If someone pays, do they actually get access to their files again?

There have been reports of people making the requested payment and receiving access to their files. However, just because this may have been the case with others, there are no guarantees that payment will yield access to the files encrypted by WanaCry.

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]